Skip to content

NMS-19504: UBI10: Create the base deploy #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mershad-manesh wants to merge 24 commits into
base: variant/ubi10
Choose a base branch
from
Open

NMS-19504: UBI10: Create the base deploy #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
494dce4
use UBI10
mershad-manesh Jan 7, 2026
aff989b
use JDK 21
mershad-manesh Jan 8, 2026
77aaafa
use latest jicmp
mershad-manesh Jan 8, 2026
0a4a402
update Major java version
mershad-manesh Jan 8, 2026
f10ce9b
temp test
mershad-manesh Feb 3, 2026
8e39836
thanks autocorrect
mershad-manesh Feb 3, 2026
5e1b75a
autocorrect again
mershad-manesh Feb 3, 2026
e0a5c35
pull branch list first
mershad-manesh Feb 3, 2026
4c82f05
Merge branch 'variant/ubi' into mem/ubi-10
mershad-manesh Feb 3, 2026
ef9e159
temp fix
mershad-manesh Feb 3, 2026
3b003c8
ignore sha1
mershad-manesh Feb 3, 2026
095aeb4
install crypto
mershad-manesh Feb 3, 2026
b2010b0
unsafe option
mershad-manesh Feb 3, 2026
eb33a81
test
mershad-manesh Feb 3, 2026
0491739
different items
mershad-manesh Feb 3, 2026
3ffaaa9
a very risky change to java
mershad-manesh Feb 3, 2026
5b53346
more changes
mershad-manesh Feb 3, 2026
6a730d1
add ; and clean up extra lines
mershad-manesh Feb 3, 2026
e0eddca
make sure to use correct java for the architecture
mershad-manesh Feb 4, 2026
916f5ad
tweak the if statement
mershad-manesh Feb 4, 2026
1ee8703
fix the bug
mershad-manesh Feb 4, 2026
623cf1e
oops
mershad-manesh Feb 4, 2026
b582e93
fix the filters
mershad-manesh Feb 4, 2026
77959fd
Add a note to callout gpg checking
mershad-manesh Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ workflows:
ignore:
- master
- variant/ubi
- variant/ubi10
- publish-single-arch:
matrix:
parameters:
Expand All @@ -174,6 +175,7 @@ workflows:
only:
- master
- variant/ubi
- variant/ubi10
- publish-multi-arch:
matrix:
parameters:
Expand All @@ -188,3 +190,4 @@ workflows:
only:
- master
- variant/ubi
- variant/ubi10
129 changes: 88 additions & 41 deletions Dockerfile.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,18 @@ FROM ${BASE_IMAGE} AS core
# TODO: switch `vim` back to `vim-minimal` once https://issues.redhat.com/browse/RHEL-25748 is resolved
RUN microdnf -y upgrade && \
microdnf -y install \
hostname \
iputils \
less \
ncurses \
openssh-clients \
rsync \
tar \
unzip \
uuid \
vim-minimal \
/usr/bin/ps \
/usr/bin/which \
hostname \
iputils \
less \
ncurses \
openssh-clients \
rsync \
tar \
unzip \
uuid \
vim-minimal \
/usr/bin/ps \
/usr/bin/which \
&& \
rm -rf /var/cache/yum

Expand All @@ -35,22 +35,32 @@ RUN microdnf -y install \
automake \
gcc \
git \
java-1.8.0-openjdk-devel \
libtool \
make


RUN if [ "$(uname -m)" = "x86_64" ]; then \
curl -L https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u482-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u482b08.tar.gz --output /tmp/openjdk8.tar.gz; \
elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
curl -L https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u482-b08/OpenJDK8U-jdk_aarch64_linux_hotspot_8u482b08.tar.gz --output /tmp/openjdk8.tar.gz; \
fi && \
tar -xzf /tmp/openjdk8.tar.gz -C /opt && \
rm -f /tmp/openjdk8.tar.gz

## Checkout and build JICMP
RUN git config --global advice.detachedHead false

RUN git clone --depth 1 --branch "${JICMP_VERSION}" "${JICMP_GIT_REPO_URL}" /usr/src/jicmp && \
RUN export JAVA_HOME=/opt/jdk8u482-b08 && export PATH=/opt/jdk8u482-b08/bin:$PATH && \
git clone --depth 1 --branch "${JICMP_VERSION}" "${JICMP_GIT_REPO_URL}" /usr/src/jicmp && \
cd /usr/src/jicmp && \
git submodule update --init --recursive --depth 1 && \
autoreconf -fvi && \
./configure
RUN cd /usr/src/jicmp && make -j1

# Checkout and build JICMP6
RUN git clone --depth 1 --branch "${JICMP6_VERSION}" "${JICMP6_GIT_REPO_URL}" /usr/src/jicmp6 && \
RUN export JAVA_HOME=/opt/jdk8u482-b08 && export PATH=/opt/jdk8u482-b08/bin:$PATH && \
git clone --depth 1 --branch "${JICMP6_VERSION}" "${JICMP6_GIT_REPO_URL}" /usr/src/jicmp6 && \
cd /usr/src/jicmp6 && \
git submodule update --init --recursive --depth 1 && \
autoreconf -fvi && \
Expand All @@ -66,25 +76,59 @@ RUN cd /usr/src/jattach && make
##
FROM core

RUN microdnf -y install \
"java-${JAVA_MAJOR_VERSION}-openjdk-headless" \
&& \
rm -rf /var/cache/yum
# if JAVA_MAJOR_VERSION is 11, use this:
# https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
if [ "$(uname -m)" = "x86_64" ]; then \
curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_aarch64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
fi && \
tar -xzf /tmp/openjdk.tar.gz -C /opt && \
rm -f /tmp/openjdk.tar.gz; \
fi
# if JAVA_MAJOR_VERSION is 17, use this:
# https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz
RUN if [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
if [ "$(uname -m)" = "x86_64" ]; then \
curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_aarch64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
fi && \
Comment on lines +79 to +97
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The architecture detection and URL construction logic is duplicated across JDK 8, 11, and 17 installations. Consider extracting this into a reusable function or parameterized block to reduce code duplication and improve maintainability.

Suggested change
# if JAVA_MAJOR_VERSION is 11, use this:
# https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
if [ "$(uname -m)" = "x86_64" ]; then \
curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
curl -L "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_aarch64_linux_hotspot_11.0.30_7.tar.gz" --output /tmp/openjdk.tar.gz; \
fi && \
tar -xzf /tmp/openjdk.tar.gz -C /opt && \
rm -f /tmp/openjdk.tar.gz; \
fi
# if JAVA_MAJOR_VERSION is 17, use this:
# https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz
RUN if [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
if [ "$(uname -m)" = "x86_64" ]; then \
curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
elif [ "$(uname -m)" = "aarch64" ] || [ "$(uname -m)" = "arm64" ]; then \
curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_aarch64_linux_hotspot_17.0.18_8.tar.gz" --output /tmp/openjdk.tar.gz; \
fi && \
# if JAVA_MAJOR_VERSION is 11 or 17, use the corresponding Adoptium Temurin binary
# e.g. for 11 (x64):
# https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.30%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.30_7.tar.gz
# and for 17 (x64):
# https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ] || [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
ARCH_RAW="$(uname -m)"; \
if [ "${ARCH_RAW}" = "x86_64" ]; then \
ARCH="x64"; \
elif [ "${ARCH_RAW}" = "aarch64" ] || [ "${ARCH_RAW}" = "arm64" ]; then \
ARCH="aarch64"; \
else \
echo "Unsupported architecture: ${ARCH_RAW}"; \
exit 1; \
fi; \
if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
BASE_URL="https://github.com/adoptium/temurin11-binaries/releases/download"; \
JDK_TAG="jdk-11.0.30%2B7"; \
JDK_VERSION="11.0.30_7"; \
elif [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
BASE_URL="https://github.com/adoptium/temurin17-binaries/releases/download"; \
JDK_TAG="jdk-17.0.18%2B8"; \
JDK_VERSION="17.0.18_8"; \
fi; \
JDK_URL="${BASE_URL}/${JDK_TAG}/OpenJDK${JAVA_MAJOR_VERSION}U-jdk_${ARCH}_linux_hotspot_${JDK_VERSION}.tar.gz"; \
curl -L "${JDK_URL}" --output /tmp/openjdk.tar.gz && \

Copilot uses AI. Check for mistakes.
tar -xzf /tmp/openjdk.tar.gz -C /opt && \
rm -f /tmp/openjdk.tar.gz; \
fi
# else install using microdnf
RUN if [ "${JAVA_MAJOR_VERSION}" != "11" ] && [ "${JAVA_MAJOR_VERSION}" != "17" ]; then \
echo "Installing OpenJDK ${JAVA_MAJOR_VERSION} via microdnf"; \
microdnf -y install \
"java-${JAVA_MAJOR_VERSION}-openjdk-headless" && \
rm -rf /var/cache/yum; \
fi

# Set JAVA_HOME based on installed version - create a symlink for consistency
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
ln -sf /opt/jdk-11.0.30+7 /opt/java; \
elif [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
ln -sf /opt/jdk-17.0.18+8 /opt/java; \
Comment on lines +110 to +113
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The JDK version paths are hardcoded (jdk-11.0.30+7, jdk-17.0.18+8) but should be derived from the actual extracted directory names to avoid breaking when JDK patch versions are updated. The tar extraction creates versioned directories that should be discovered dynamically.

Suggested change
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ]; then \
ln -sf /opt/jdk-11.0.30+7 /opt/java; \
elif [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
ln -sf /opt/jdk-17.0.18+8 /opt/java; \
RUN if [ "${JAVA_MAJOR_VERSION}" = "11" ] || [ "${JAVA_MAJOR_VERSION}" = "17" ]; then \
JDK_DIR=$(ls -d /opt/jdk-"${JAVA_MAJOR_VERSION}"* 2>/dev/null | head -n 1); \
if [ -z "${JDK_DIR}" ]; then echo "No JDK directory found for JAVA_MAJOR_VERSION=${JAVA_MAJOR_VERSION}" >&2; exit 1; fi; \
ln -sf "${JDK_DIR}" /opt/java; \

Copilot uses AI. Check for mistakes.
else \
ln -sf $(dirname $(dirname $(readlink -f $(which java)))) /opt/java; \
fi

# Set JAVA_HOME at runtime
ENV JAVA_HOME=${JAVA_HOME}
ENV JAVA_HOME=/opt/java

# To be able to use DGRAM to send ICMP messages we have to give the java binary CAP_NET_RAW capabilities in Linux.
COPY do-setcap.sh /usr/local/bin/
RUN /usr/local/bin/do-setcap.sh

# Install confd
RUN if [ "$(uname -m)" = "x86_64" ]; then \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-amd64.tar.gz" --output /tmp/confd.tar.gz; \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-amd64.tar.gz" --output /tmp/confd.tar.gz; \
elif [ "$(uname -m)" = "armv7l" ]; then \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-arm7.tar.gz" --output /tmp/confd.tar.gz; \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-arm7.tar.gz" --output /tmp/confd.tar.gz; \
else \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-arm64.tar.gz" --output /tmp/confd.tar.gz; \
curl -L "${CONFD_SOURCE}/releases/download/v${CONFD_VERSION}/confd-v${CONFD_VERSION}-linux-arm64.tar.gz" --output /tmp/confd.tar.gz; \
fi && \
cd /usr/bin && \
tar -xzf /tmp/confd.tar.gz && \
Expand Down Expand Up @@ -115,24 +159,27 @@ RUN curl -L "${PROM_JMX_EXPORTER_URL}" --output ./jmx_prometheus_javaagent.jar &
chmod 2775 /opt/prom-jmx-exporter && \
chmod 0664 /opt/prom-jmx-exporter/*

# Install OpenNMS yum repo,
# NOTE: we are disabling gpgcheck and signature verification here to avoid issues with
# our current signing setup;
RUN curl -L --output /tmp/repo.rpm https://yum.opennms.org/repofiles/opennms-repo-stable-rhel9.noarch.rpm && \
rpm -Uf /tmp/repo.rpm && \
rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY
rpm -Uvh --nodigest --nosignature --noverify /tmp/repo.rpm && \
sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/opennms*.repo && \
rm -f /tmp/repo.rpm

Comment on lines +166 to 169
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disabling GPG signature verification (--nodigest --nosignature --noverify) and package verification (gpgcheck=0) removes critical security checks. This exposes the build to potential package tampering. If this is temporary due to UBI 10 migration issues, consider documenting the reason and tracking removal of these flags once proper GPG keys are available.

Suggested change
rpm -Uvh --nodigest --nosignature --noverify /tmp/repo.rpm && \
sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/opennms*.repo && \
rm -f /tmp/repo.rpm
rpm -Uvh /tmp/repo.rpm && \
rm -f /tmp/repo.rpm

Copilot uses AI. Check for mistakes.
LABEL org.opencontainers.image.created="${BUILD_DATE}" \
org.opencontainers.image.title="OpenNMS deploy based on ${BASE_IMAGE}" \
org.opencontainers.image.source="${VCS_SOURCE}" \
org.opencontainers.image.revision="${VCS_REVISION}" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.vendor="The OpenNMS Group, Inc." \
org.opencontainers.image.authors="OpenNMS Community" \
org.opencontainers.image.licenses="AGPL-3.0" \
org.opennms.image.base="${BASE_IMAGE}" \
org.opennms.image.java.version="${JAVA_MAJOR_VERSION}" \
org.opennms.image.java.home="${JAVA_HOME}" \
org.opennms.image.jicmp.version="${JICMP_VERSION}" \
org.opennms.image.jicmp6.version="${JICMP6_VERSION}" \
org.opennms.cicd.branch="${BUILD_BRANCH}" \
org.opennms.cicd.buildurl="${BUILD_URL}" \
org.opennms.cicd.buildnumber="${BUILD_NUMBER}"

org.opencontainers.image.title="OpenNMS deploy based on ${BASE_IMAGE}" \
org.opencontainers.image.source="${VCS_SOURCE}" \
org.opencontainers.image.revision="${VCS_REVISION}" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.vendor="The OpenNMS Group, Inc." \
org.opencontainers.image.authors="OpenNMS Community" \
org.opencontainers.image.licenses="AGPL-3.0" \
org.opennms.image.base="${BASE_IMAGE}" \
org.opennms.image.java.version="${JAVA_MAJOR_VERSION}" \
org.opennms.image.java.home="${JAVA_HOME}" \
org.opennms.image.jicmp.version="${JICMP_VERSION}" \
org.opennms.image.jicmp6.version="${JICMP6_VERSION}" \
org.opennms.cicd.branch="${BUILD_BRANCH}" \
org.opennms.cicd.buildurl="${BUILD_URL}" \
org.opennms.cicd.buildnumber="${BUILD_NUMBER}"
10 changes: 5 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,21 @@

SHELL := bash -o nounset -o pipefail -o errexit
BUILD_DATE := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
BASE_IMAGE := registry.access.redhat.com/ubi9-minimal
BASE_IMAGE := registry.access.redhat.com/ubi10-minimal

DOCKER_BUILDKIT := 1
DOCKER_CLI_EXPERIMENTAL := enabled
ARCHITECTURE := linux/amd64
BUILDER_INSTANCE := env-deploy-base-oci
TAG_ARCH := $(subst /,-,$(subst linux/,,$(ARCHITECTURE)))

JAVA_MAJOR_VERSION := 11
JAVA_MAJOR_VERSION := 21
JAVA_PKG := openjdk-$(JAVA_MAJOR_VERSION)-jre-headless
JAVA_HOME = /usr/lib/jvm/jre-${JAVA_MAJOR_VERSION}

# Version fallback uses the latest git version tag or the git hash if no git version is set.
# e.g. last git version tag is v1.1.0 -> 1.1.0 is used, otherwise the git hash
VERSION ?= ubi9-$(shell cat version.txt | sed -e 's,[\r\n]*,,')
VERSION ?= ubi10-$(shell cat version.txt | sed -e 's,[\r\n]*,,')
CONTAINER_REGISTRY ?= localhost
CONTAINER_REGISTRY_LOGIN ?= unset
CONTAINER_REGISTRY_PASS ?= unset
Expand All @@ -41,10 +41,10 @@ BUILD_URL ?= unset
BUILD_BRANCH ?= $(shell git branch --show-current)

JICMP_GIT_REPO_URL := https://github.com/opennms/jicmp
JICMP_VERSION := jicmp-3.0.0-2
JICMP_VERSION := jicmp-3.0.5-1

JICMP6_GIT_REPO_URL := https://github.com/opennms/jicmp6
JICMP6_VERSION := jicmp6-3.0.0-2
JICMP6_VERSION := jicmp6-3.0.5-1

JATTACH_GIT_REPO_URL := https://github.com/jattach/jattach
JATTACH_VERSION := v2.1
Expand Down